nixos-config/nixos/modules/services/enthalpy/nat64.nix

# Portions of this file are sourced from
# https://github.com/NickCao/flakes/blob/3b03efb676ea602575c916b2b8bc9d9cd13b0d85/modules/gravity/default.nix
{
  config,
  lib,
  pkgs,
  mylib,
  ...
}:
with lib;
let
  cfg = config.services.enthalpy;
in
{
  options.services.enthalpy.nat64 = {
    enable = mkEnableOption "NAT64";
    prefix = mkOption {
      type = types.str;
      default = "64:ff9b::/96";
      description = ''
        IPv6 prefix used for NAT64 translation in the network.
      '';
    };
    dynamicPool = mkOption {
      type = types.str;
      default = "100.127.0.0/16";
      description = ''
        IPv4 address prefix allocated for dynamic IP assignment.
      '';
    };
  };

  config = mkIf (cfg.enable && cfg.nat64.enable) {
    systemd.network.config.networkConfig.IPv6Forwarding = true;

    systemd.network.networks."70-nat64" = {
      matchConfig.Name = "nat64";
      routes = [
        {
          Destination = cfg.nat64.prefix;
          Table = config.networking.routingTables.nat64;
        }
        { Destination = cfg.nat64.dynamicPool; }
      ];
      networkConfig.LinkLocalAddressing = false;
      linkConfig.RequiredForOnline = false;
    };

    systemd.services.enthalpy-nat64 = {
      serviceConfig = mylib.misc.serviceHardened // {
        Type = "forking";
        Restart = "on-failure";
        RestartSec = 5;
        DynamicUser = true;
        ExecStart = "${pkgs.tayga}/bin/tayga --config ${pkgs.writeText "tayga.conf" ''
          tun-device nat64
          ipv6-addr fc00::
          ipv4-addr 100.127.0.1
          prefix ${cfg.nat64.prefix}
          dynamic-pool ${cfg.nat64.dynamicPool}
        ''}";
        CapabilityBoundingSet = [ "CAP_NET_ADMIN" ];
        AmbientCapabilities = [ "CAP_NET_ADMIN" ];
        PrivateDevices = false;
      };
      after = [ "netns-enthalpy.service" ];
      partOf = [ "netns-enthalpy.service" ];
      wantedBy = [
        "multi-user.target"
        "netns-enthalpy.service"
      ];
    };

    networking.nftables = {
      enable = true;
      tables.enthalpy-nat64 = {
        family = "ip";
        content = ''
          chain forward {
            type filter hook forward priority 0;
            tcp flags syn tcp option maxseg size set 1200
          }
        '';
      };
    };
  };
}